CVE-2019-13025
Description
Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorrect Access Control because of Improper Input Validation. The attacker can send a maliciously modified POST (HTTP) request containing shell commands, which will be executed on the device, to an backend API endpoint of the cable modem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote code execution in Compal CH7465LG cable modems via command injection in ping/traceroute API.
Vulnerability
Compal CH7465LG cable modems running firmware version CH7465LG-NCIP-6.12.18.24-5p8-NOSH contain a command injection vulnerability in the ping and traceroute API endpoints. Input validation is only performed client-side, allowing an attacker to send a maliciously crafted POST request with shell commands that are executed on the device [1].
Exploitation
An attacker with network access to the modem's web interface, either via the local network or through the internet-enabled remote maintenance feature, can exploit this vulnerability without authentication. The attacker sends a POST request to the vulnerable API endpoint with specially crafted parameters containing shell metacharacters to inject arbitrary commands [1].
Impact
Successful exploitation grants the attacker remote code execution as the root user, leading to full compromise of the cable modem. This can be leveraged for network reconnaissance, traffic interception, or incorporating the device into a botnet [1].
Mitigation
As of the publication date, no official firmware patch is mentioned in the available references. Users are advised to restrict access to the web interface to trusted local networks and disable remote maintenance if not required [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Compal/CH7465LGdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side input validation and shell escaping in the ping and traceroute API endpoints allows command injection."
Attack vector
An unauthenticated attacker sends a maliciously crafted POST request to the backend API endpoint that implements the ping or traceroute functionality [ref_id=1]. Although the web interface is password-protected, the API endpoints themselves do not require authentication [ref_id=1]. The attacker includes shell metacharacters and arbitrary commands within the POST parameters; because the input is only validated client-side and not escaped server-side, the injected commands are executed on the device's operating system shell [ref_id=1].
Affected code
The vulnerable endpoint is in the shared library `libhttp_plugin.so2`, specifically the functions `cbn_http_xml_start_pin` (ping) and `cbn_http_xml_start_tracert` (traceroute) [ref_id=1]. These functions call the `ping` and `traceroute` shell binaries without properly escaping or validating user-supplied POST parameters [ref_id=1].
What the fix does
The advisory does not include a patch diff, but notes that an automatic firmware update to version CH7465LG-NCIP-6.12.18.25-2p6-NOSH was pushed to devices on 2019-09-22, which patches the vulnerability [ref_id=1]. The researcher recommends always escaping and verifying user input when executing shell commands, and suggests using `exec()` instead of `system()` to avoid invoking a shell entirely [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the device's backend API endpoint over the network (typically LAN-side, as the cable modem's web interface is accessible to local clients).
- authNo authentication is required; the API endpoints do not enforce the web interface's password check.
- inputThe attacker must craft a POST request containing shell metacharacters and commands in the ping or traceroute parameters.
Reproduction
The researcher published a PoC in their GitHub repository that sends arbitrary commands to the device shell [ref_id=1]. For example, the PoC can start a telnet server on the device, allowing the attacker to connect to the debug CLI [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- xitan.me/posts/connect-box-ch7465lg-rce/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.